Skip to main content

Your First Analysis

This guide will walk you through your first analysis session with xAnalyzer. You’ll learn how to analyze code, interpret the results, and use the plugin’s core features.
Before starting, ensure you have installed xAnalyzer and verified it appears in the x64dbg Plugins menu.

Load an Executable

Let’s start by loading a program to analyze:
1

Launch x64dbg

Open either x32dbg.exe or x64dbg.exe depending on your target architecture
2

Open a file

  • Click FileOpen (or press F3)
  • Select any Windows executable (for this guide, you can use a system utility like notepad.exe or calc.exe)
  • x64dbg will load the executable and pause at the entry point

Running Your First Analysis

xAnalyzer offers several analysis modes. Let’s start with the most common ones:

Selection Analysis

Analyze a specific section of code:
1

Select instructions

In the Disassembly window, click and drag to select multiple instructions (or use Shift + Arrow keys)
2

Run analysis

Right-click on the selection and choose:
xAnalyzer → Analyze Selection
Or use the command in the command bar:
xanal selection
3

Review results

Watch as xAnalyzer adds:
  • Function definitions and names
  • Parameter information with types
  • Argument values and their meanings
  • Additional context in comments
Selection analysis is fast and focused - perfect for examining specific code sections without analyzing the entire module.

Function Analysis

Analyze an entire function automatically:
1

Position cursor

Click on any instruction within a function you want to analyze
2

Run function analysis

Right-click and select:
xAnalyzer → Analyze Function
Or use the command:
xanal function
3

Examine the results

xAnalyzer automatically:
  • Detects function boundaries (prolog to epilog)
  • Analyzes all instructions within the function
  • Identifies loops and control flow
  • Comments all API calls with parameters

Module Analysis

Perform a comprehensive analysis of the entire executable:
Module analysis can take significant time and memory for large executables, especially with Extended Analysis enabled. Start with smaller files when learning.
1

Start module analysis

From the menu:
Plugins → xAnalyzer → Analyze Module
Or use the command:
xanal module
2

Monitor progress

A progress indicator shows the analysis status. You can continue working in x64dbg while analysis runs.
3

Review execution summary

When complete, check the Log tab for an execution summary showing:
  • Defined API calls detected
  • Undefined function calls found
  • Loops detected
  • Total comments and labels added

Understanding the Analysis Results

xAnalyzer enriches your disassembly with several types of information:

Function Call Comments

For API calls, you’ll see detailed parameter information: 
push 0                          ; uType = MB_OK
push offset aErrorTitle         ; lpCaption = "Error"
push offset aErrorMessage       ; lpText = "An error occurred"
push 0                          ; hWnd = NULL
call MessageBoxA                ; MessageBoxA(hWnd, lpText, lpCaption, uType)
```asm

The plugin automatically:
- Identifies each parameter by name
- Shows the parameter type
- Resolves constant values to their symbolic names (e.g., `MB_OK`)
- Provides the complete function signature

### Loop Detection

xAnalyzer automatically identifies loops in your code:

```asm
.loop_start:                    ; Loop detected
    mov eax, [esi]
    test eax, eax
    jz .exit
    ; ... loop body ...
    jmp .loop_start             ; Jump to loop start
.exit:
```asm

<Note>
Loop detection helps you quickly identify iterative structures, making control flow analysis easier.
</Note>

### Indirect Call Resolution

The plugin can identify and comment indirect function calls:

```asm
mov eax, dword ptr [ebx+10h]    ; Function pointer
call eax                         ; Calling: SomeAPIFunction
```asm

Supported indirect call patterns:
- `CALL {REGISTER}` - Register-based calls
- `CALL {REGISTER + DISPLACEMENT}` - Offset-based calls
- `CALL {DYNAMIC_POINTER}` - Memory pointer calls

## Essential Commands

Quick reference for xAnalyzer commands:

<CodeGroup>
```bash Analysis Commands
xanal selection      # Analyze selected instructions
xanal function       # Analyze current function
xanal module         # Analyze entire module
```bash

```bash Removal Commands
xanalremove selection   # Remove analysis from selection
xanalremove function    # Remove analysis from function
xanalremove module      # Remove all analysis
```bash

```bash Help
xanal help           # Display help in log window
```bash
</CodeGroup>

<Tip>
You can set custom hotkeys for these commands in x64dbg's keyboard shortcuts settings. This makes analysis even faster during your workflow.
</Tip>

## Working with Analysis Options

xAnalyzer's behavior can be customized through its options menu:

<Steps>
  <Step title="Access options">
    Navigate to:
Plugins → xAnalyzer → Options 
</Step>

<Step title="Key options to know">
- **Automatic Analysis**: Analyze automatically when debugger reaches entry point
- **Extended Analysis**: Perform deep analysis of entire code section (slower but more thorough)
- **Analyze Undefined Functions**: Include generic analysis for functions not in API definitions
</Step>
</Steps>

### Automatic Analysis

When enabled, xAnalyzer runs automatically at the entry point:

<Check>
**Best for:** Regular debugging sessions where you want immediate analysis
</Check>

<Warning>
Automatic analysis may add a few seconds to your load time, especially with large executables or Extended Analysis enabled.
</Warning>

### Extended Analysis

Enables comprehensive analysis of the entire code section:

<Check>
**Provides:**
- Analysis beyond the main module
- Detection of code in all sections
- More thorough API call detection
</Check>

<Warning>
**Caution:** Extended analysis can consume significant memory and time for large executables. Use selectively for complex binaries.
</Warning>

### Analyze Undefined Functions

When enabled, xAnalyzer provides generic analysis for:
- Functions not in API definition files
- Internal subroutines
- Register/pointer-based calls

```asm
call sub_401000              ; arg1, arg2, arg3, arg4

Practical Example: Analyzing a Function

Let’s walk through a real analysis scenario:
1

Find a function call

In the disassembly, locate a function call (look for call instructions). Common examples:
call CreateFileA
call RegOpenKeyExA
call VirtualAlloc
2

Analyze the function

Click on an instruction inside the function containing the call, then:
Right-click → xAnalyzer → Analyze Function
3

Examine the enriched output

Before analysis:
push 0
push 80h
push 3
push 0
push 1
push 80000000h
push offset aFilename
call CreateFileA
After analysis:
push 0                          ; hTemplateFile = NULL
push 80h                        ; dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL
push 3                          ; dwCreationDisposition = OPEN_EXISTING
push 0                          ; lpSecurityAttributes = NULL
push 1                          ; dwShareMode = FILE_SHARE_READ
push 80000000h                  ; dwDesiredAccess = GENERIC_READ
push offset aFilename           ; lpFileName = "config.dat"
call CreateFileA                ; CreateFileA(lpFileName, dwDesiredAccess, ...)
Notice how xAnalyzer transforms cryptic numeric values into meaningful constant names like GENERIC_READ and FILE_ATTRIBUTE_NORMAL, making the code’s intent immediately clear.

Removing Analysis

If you need to clean up or re-analyze:
1

Select the scope

Choose what to clean:
  • Specific instructions (make a selection)
  • Current function (position cursor)
  • Entire module (any location)
2

Remove analysis

xAnalyzer → Remove Analysis → [Selection/Function/Module]
Or use commands:
xanalremove selection
xanalremove function
xanalremove module
Removing and re-analyzing can be useful when you’ve changed settings or updated API definition files.

Tips for Effective Analysis

Start Small

Begin with selection or function analysis to get familiar with the output before running module-wide analysis

Use Commands

Learn the command shortcuts (xanal function, etc.) for faster workflow than using menus

Check the Log

Always review the execution summary in the Log tab to see analysis statistics and any issues

Customize Definitions

If you work with specific libraries, consider adding custom API definitions to the apis_def folder

Common Patterns to Look For

After analysis, look for these patterns that xAnalyzer helps identify:

File Operations

call CreateFileA        ; Opening files
call ReadFile           ; Reading data
call WriteFile          ; Writing data
call CloseHandle        ; Cleanup
```asm

### Registry Operations
```asm
call RegOpenKeyExA      ; Open registry key
call RegQueryValueExA   ; Read registry value
call RegSetValueExA     ; Write registry value
```asm

### Memory Operations
```asm
call VirtualAlloc       ; Allocate memory
call VirtualProtect     ; Change memory protection
call VirtualFree        ; Free memory
```asm

### Network Operations
```asm
call WSAStartup         ; Initialize Winsock
call socket             ; Create socket
call connect            ; Connect to remote host
call send               ; Send data
```asm

<Note>
xAnalyzer's parameter information makes it easy to understand what these functions are doing - what files they're opening, what registry keys they're accessing, what memory regions they're modifying, etc.
</Note>

## Next Steps

Now that you understand the basics:

<CardGroup cols={2}>
  <Card title="Configuration Guide" icon="gear" href="/configuration/options">
    Learn about all configuration options and how to customize xAnalyzer for your workflow
  </Card>
  
  <Card title="API Definition Files" icon="book" href="/api-definitions/overview">
    Understand how to customize and extend the API definition system
  </Card>
  
  <Card title="Features" icon="wand-magic-sparkles" href="/features/api-analysis">
    Explore API analysis, loop detection, and function tracking capabilities
  </Card>
  
  <Card title="Troubleshooting" icon="wrench" href="/advanced/troubleshooting">
    Solutions for common issues and analysis limitations
  </Card>
</CardGroup>

## Getting Help

If you encounter issues or have questions:

- Use `xanal help` command to see built-in help
- Check the **Log** tab for error messages and hints
- Review the [Known Issues](/advanced/limitations) section
- Report bugs on [GitHub Issues](https://github.com/ThunderCls/xAnalyzer/issues)

<Check>
Congratulations! You've completed the quick start guide and are ready to use xAnalyzer effectively in your debugging workflow.
</Check>

Build docs developers (and LLMs) love

Get started for freeTalk to us